search

monstra-cms / monstra

THIS PROJECT IS NOT SUPPORTED ANYMORE! Check FLEXTYPE.ORG
http://flextype.org
MIT License
396 stars 123 forks source link

Authenticated Stored Cross Site Scripting Vulnerability #427

Open c0d3G33k opened 6 years ago

c0d3G33k commented 6 years ago

Hi, I have found a stored XSS vulnerability.

Affected Version: 3.0.4 or before

Affected URL: http:///monstra/

Payload

"><img src=x onerror=prompt(1)>

Steps to replicate:

  1. Goto http://127.0.0.1/monstra/admin/index.php?id=pages
  2. Create a new page
  3. Navigate to title section
  4. Enter payload as shown in above section
  5. Visit http:///monstra/.php
  6. You will triage JavaScript execution

Impacts:

A user with editor level privileges can make JavaScript code execution in admin's session.

Testing Environment:

  1. Server: Apache 2.4.2
  2. PHP : 7.1.8

Mitigation: Pass user input from below mentioned function

function test_input($data) {
  $data = trim($data);
  $data = stripslashes($data);
  $data = htmlspecialchars($data);
  return $data;
}